Information governance : nature and implementation from the European public administrations' perspective

(1)

Information Governance:

Nature and Implementation from the

European Public Administrations' perspective

Master Thesis prepared

with the view of obtaining the

Master HES

by :

Arina GRAZHENSKAYA

Director of Master Thesis :

Basma MAKHLOUF SHABOU, professor HES

Geneva, 6 June, 2017

Geneva School of Business Administration /

Haute École de Gestion de Genève (HEG-GE)

(2)

Information Governance: Nature and Implementation from the European Public Administrations' perspective

Declaration

This Master’s Thesis has been prepared within the framework of the final exams at the Geneva School of Business Administration (HEG) with the view of obtaining the Master of Science Degree in the Information Sciences.

The student has sent this document by e-mail to te address provided by her Master Thesis Supervisor for plagiary detection check by the URKUND software in line with the procedure the details of which can be found at the following

link:

http://www.urkund.fr/student_gorsahar.asp

The student has accepted the confidentiality clause, if circumstances so require. The use of conclusions and recommendations formulated in this Master’s Thesis, without prior judgement of their value, does not entail any responsibility on the part of neither the author, nor the Master Thesis Supervisor, nor the examiner, nor the HEG.

« I hereby attest that this work has been carried out by me alone, without using any sources other than those quoted in the References. »

Geneva, June 6, 2017 Arina Grazhenskaya

(3)

Acknowledgments

First of all, I wish to convey my special thanks to:

Basma Makhlouf Shabou, Director of my Master’ thesis work, for constantly giving me, apart from the high-skill professional support, a positive charge in the preparation of this thesis, for encouraging me, and filling me with optimism.

The whole team of la filiere Information documentaire (in its past and present composition) for the individual approach they showed their students and their willingness to accommodate their students’ needs.

The InterPARES TRUST Project for the unique opportunity to meet and talk to experts possessing the highest level of professional skills and working experience.

All interviewed experts for their willingness and preparedness to share with me their vision, knowledge, and experience backed by many years of work and unwavering interest in and dedication to their profession.

My fellow students for giving me good examples to follow and for their readiness to help.

(4)

Summary

The concept of Information Governance (IG) as a multidimensional approach to manage information with the aim of optimising the realisation of the strategic and operational corporate goals is increasingly implemented both in public and in private sector, but a common and scientific ground of this approach is yet to be defined. This Master’s Thesis has been prepared on the basis of a task commissioned in the frameworks of the research project implemented by InterPARES Trust (a multi-national, interdisciplinary research project exploring issues concerning digital records and data entrusted to the Internet). Briefly, they can be formulated as follows: understanding the key notions and components of IG and analysing the best practices of the IG in European public administrations based on the comparison of academic research and available specialist practices.

Given the exploratory nature of the study we used a qualitative approach to investigate the stated objectives. We started with document and content analysis to carry out the state of the art not only on IG’ definition and dimensions but also on relevant IG maturity assessment models, methods and tools. Based on the developed Interview Guide the semi-structured interviews were carried out with European experts and practitioners in the field of information management who can be, without exaggeration, referred to as leaders and active participants of their professional community. The information received from the experts provided some sort of empirical validation, and at a subsequent stage allowed us to summarize and correlate the already available data we had developed from the literature and the data developed from the interviews. We have succeeded in capturing and reviewing a number of important issues related to the situation of IG in the public sector, identify a range of main challenges during IG implementation and suggest a number of recommendations (related to development of IG Policies, IG services, business cases and improving of the professional skill of information management staff) that could facilitate the development of IG in public administrations.

Key words : information governance, public administrations, information management,

(5)

Declaration... i

Acknowledgments ... ii

Summary ...iii

List of tables ...vii

List of figures ...vii

1. Introduction ... 1

1.1 Context ...1

1.1.1 Information Governance: growing popularity with lack of common understanding ... 1

1.1.2 InterPARES Trust: interdisciplinary research approach to the interdisciplinary issues 2 1.1.3 The InterPARES Research Project (EU29 – EU30) ... 3

1.1.3.1 The Problem and the Research Questions ... 3

1.1.3.2 Project Objectives and Main Research Stages... 4

1.2 Research Objectives ...5

1.3 Methodology of the research ...6

1.3.1 Document and content analysis ... 7

1.3.2 Semi-structured interviews ... 8

1.3.3 Participants profile ... 8

2. The Nature of Information Governance and the Public Sector Context 9

2.1 IG Definition ... 10

2.2 IG Dimensions ... 12

2.3 Records Management vs. Information Governance ... 15

2.4 IG Assessment / IG Maturity Models ... 16

2.5 IG in the Public Sector ... 18

3. Theory and Practice of Information Governance in the European

Public Administrations : A Synthesis ...19

3.1 Taking a second look at IG Nature ... 19

3.1.1 The Definition of IG ... 19

3.1.1.1 Perception of IG ... 20

3.1.1.2 IG on the Institutional Level... 20

3.1.2 Main IG Dimensions ... 21

3.1.3 Records Management vs. Information Governance ... 22

3.1.4 IG Principles ... 23

3.1.4.1 Identification ... 23

3.1.4.2 European public administration context ... 23

3.1.4.3 IG International context ... 23

3.1.4.4 IG Principles and GARP ... 24

(6)

3.1.4.4.2 Advantages and shortcomings... 24

3.1.4.4.3 Coverage ... 24

3.2 IG in the European public administration context... 25

3.2.1 IG goals ... 25

3.2.1.1 Trusted basis of administration ... 25

3.2.1.2 Personal data and Open access ... 26

3.2.2 IG stakeholders ... 27

3.2.3 IG Impacts ... 28

3.2.3.1 Efficiency / Effectiveness ... 29

3.2.3.2 Transparency ... 29

3.2.3.3 Formalization / Standardization ... 29

3.2.3.4 Technological improvements / Digital transformation... 30

3.2.3.5 Style of work ... 30

3.2.4 IG Legal frameworks ... 30

3.2.4.1 International standards ... 31

3.2.4.2 European regulations ... 31

3.2.4.3 National / local regulations ... 31

3.2.4.4 Internal regulations ... 31

3.3 IG implementation (Public Sector) ... 32

3.3.1 IG requirements ... 32

3.3.1.1 Cultural and organisational changes ... 32

3.3.1.2 Employees’ behaviour ... 33

3.3.2 Initial IG assessment ... 33

3.3.3 IG Policy paper ... 34

3.3.3.1 The Road Map... 34

3.3.3.2 Political Support Tool ... 34

3.3.3.3 Format ... 34

3.3.3.4 Dissemination ... 35

3.3.4 Main actors / Roles and responsibilities ... 35

3.3.4.1 Information and Communication Officer ... 35

3.3.4.2 Implementing Body ... 36

3.3.4.3 Society ... 36

3.3.5 Information management staff ... 36

3.3.5.1 Professional level ... 37 3.3.5.2 Hybrid professionals ... 37 3.3.5.3 Trainings ... 37 3.3.5.4 IT tools ... 38 3.3.6 IG Assessment tools ... 38 3.3.6.1 Maturity Models ... 39 3.3.6.2 ARMA’ IGMM ... 39

(7)

3.3.7 IG Risks ... 40 3.3.7.1 IG Risks dimensions ... 40 3.3.7.2 Information risks ... 41 3.3.8 IG Success stories ... 41 3.3.8.1 « Sydarkivera » (Sweden) ... 41 3.3.9 IG Challenges ... 42

4. Recommendations ...43

4.1 Development of the IG Policies Papers... 43

4.2 Development of the IG services for Public Administrations... 44

4.3 Development of the IG « business cases » ... 44

4.4 Development of the training modules on IG ... 45

5. Conclusions ...45

Bibliography ...48

Annexe 1 : Methodology of the research ...52

Annex 2 : « Pair of spectacles » : analysis literature grid ...53

(8)

List of tables

Table 1 : Research objectives: EU29, EU 30,MT ... 6

Table 2 : Main IG Dimensions ... 14

Table 3 : Main IG Dimensions (from the literature and experts’ perspectives) ... 21

Table 4 : Information Governance vs. Records and Information Management ... 22

Table 5 : IG Challenges ... 42

List of figures

Figure 1 : Methodology of the research ... 7

Figure 2 : Interfaces of IG ... 13

Figure 3 : Trusted basis of administration ... 26

(9)

1. Introduction

The last decades have seen the development and introduction of digital technologies take off and take hold at a blinding speed. And the world has been changing with equal precipitance under their influence: the changes have affected and have already signifi-cantly altered the modern society, the lives of people and their communities, policies, communications, models of business, production, and governance.

And although this technological revolution - no exaggeration there - is not the first one in the history of mankind, yet it is for the first time that this revolution is centred on and driven by digitalized information. And notions like « information-oriented society », « digital era », « data revolution » are gradually becoming commonplace, taking roots in our consciousness.

Information itself is being transformed and so are the ways of working with it: volumes of information are growing to colossal proportions, information flows are becoming more complex, and the content and format of information are constantly evolving. Now, the information agenda firmly includes electronic information and data management issues covering access to information and information storage and protection.

1.1 Context

Managing information with the view of ensuring its effective and efficient use for both personal and public purposes is hardly a new task in the list of information-related is-sues. Yet, today we speak of the changing context of information management deter-mined by the opportunities, challenges and threats stemming from the digitization of information. And this context calls for diverse and multidisciplinary approaches.

1.1.1 Information Governance: growing popularity with lack of

common understanding

Perhaps, it is this that holds the answer to the question why the concept of Information Governance (IG) as a multidimensional approach to manage information with the aim

of optimizing the realization of the strategic and operational corporate goals (InterPARES) is rapidly gaining popularity.

Information Governance is increasingly implemented both in public and in private sector, but a common and scientific ground of this approach (Kooper 2011) is yet to be defined/formulated. Also, there is a lack of academic research in this area and insufficient effort to analyse the experience of professional IG practitioners that has

(10)

Information Governance: Nature and Implementation from the European Public Administrations' perspective already been accumulated.

1.1.2 InterPARES Trust: interdisciplinary research approach to

the interdisciplinary issues

Filling this research gap in the area of digital records management has been the objective of a multi-national, interdisciplinary research project exploring issues concerning digital records and data entrusted to the Internet - InterPARES Trust (ITrust 2013-2018).

The currently operative ITrust builds on the foundations of InterPARES (International Research into the Preservation of Authentic Records in Electronic Systems) carried out from 1998 through 2012. Its goal is:

« to generate theoretical and methodological frameworks to develop local, national and international policies, procedures, regulations, standards and legislation, in order to ensure public trust grounded on evidence of good governance, a strong digital economy, and a persistent digital memory »

(InterPARES Trust)

Today, ITrust is a research partnership bringing together over fifty universities and academic organizations, national and multinational, public and private, in North America, Latin America, Europe, Africa, Australasia, and Asia. The researchers are experts in archival science, records management, diplomacy, law, information technology, communication and media, journalism, e-commerce, health informatics, cyber security, information governance and assurance, digital forensics, computer engineering, and information policy (InterPARES Trust).

Thanks to the interdisciplinary composition and its geographical coverage InterPARES Trust offers an appropriate scientific context to develop a much-needed theoretical Information Governance framework with appropriate methods and related tools.

If we try to formulate the goal of the whole research partnership in a pithy manner, we need not look any further than its very name – the word is « trust »: it is all about find-ing ways to manage digital information and data in such a way as to build (and main-tain) the trust of the whole society and its individual members in digital records online, their confidence in the Internet environment which is so vulnerable to bad faith competi-tion, all sorts of unscrupulous manipulations and abuse in pursuit of often dubious goals?

Open democratic societies always aspire to broaden access to information while main-taining their tradition of protecting people’s privacy. Achieving a balance between the

(11)

transparency of management and the protection of confidentiality has a great societal significance and public institutions play a crucial role in this area.

Several InterPARES Trust projects have been devoted to researching various aspects of Governmental e-Services and digital information management in Governmental agencies.

1.1.3 The InterPARES Research Project (EU29 – EU30)

In January 2016, the InterPARES Trust European Regional Team embarked upon the implementation of the project « Information Governance Maturity in European Public Administration » Phase 1 to tackle the research questions of theoretical and entirely practical nature (Project EU29), with Phase 2 (EU30) to follow.

The projects timeframe is 2016 - 2017. The principal researcher of the project is Dr. Basma Makhlouf Shabou, Professor in charge of archival studies at the Information Science Department of the Geneva School of Business Administration (HEG). His co-investigator is Dr. Elizabeth Lomas, Senior Lecturer in Information Governance, Uni-versity College London.

This Master’s Thesis (MT) has been prepared on the basis of a task commissioned by the InterPARES Trust European Regional Team within the framework of Phase 1 im-plementation.

1.1.3.1 The Problem and the Research Questions

Digital transformation has increased the need to reinforce the management of infor-mation resources, especially when these latter become a valuable corporate asset (Hagmann 2013, p.231). At the same time, one would notice that information and rec-ord management practices of the past were not always up to the task of dealing with legal (privacy, information accessibility, etc.), technical (archival functions and tools), and technological (long-term preservation, clouds, etc.) issues of information manage-ment. And if we are to consider IG as a potential solution to this kind of problem, we have to admit that, despite its rising popularity that we mentioned earlier, the introduc-tion of IG still remains insufficiently consistent and effective.

Traditionally, the private sector possesses larger financial resources and greater flexi-bility of management for the introduction of new approaches. Thus, according to the SerdaLab research laboratory, private firms in France are way ahead of public and non-governmental organisations in terms of implementing digital infor-mation management projects (SerdaLab 2016).

(12)

However, it is in the public sector that IG could play an important role of a kind of ethi-cal lens, which substantially enhances the societal significance of implementing IG in public administrations. For IG draws attention to the needs of a broad range of stake-holders who all have a vested interest in the efficient management of their records which would ensure their reliable and prolonged storage, given the competing consid-erations concerning access to and retention and destruction of information. Public ad-ministration entities dealing efficiently and effectively with this task as a matter of their routine activities would also contribute significantly to building and reinforcing public trust in the institutions of the State.

A key issue inextricably linked to the implementation of IG programs is the IG level as-sessment. Furthermore, the accuracy of assessment at various stages (starting with the initial IG assessment) could well determine the success or failure of the whole pro-gramme, the way it is tailored to tackle specific problems in the organisation, and the prospects for its future development.

So, what are the methods and tools available to the specialist community for carrying out assessment of the so varied IG domains? Currently, there is a number of policies and tools of information and records management available (e.g. those developed by ARMA International); there is also a range of IG frameworks related mainly to infor-mation security issues (while leaving inforinfor-mation management concerns unaddressed) (ISACA 2012), yet none of these can be applied to all dimensions of IG and there is not a single one that would apply specifically to the public sector.

It is exactly because of the need for closer scrutiny of IG in the public sector in the con-text of the information-related sciences as a whole and the archiving sciences in partic-ular that the InterPARES has selected the following questions as the objective of this investigation:

a. What is the nature, the dimensions, main actors of the IG in European pub-lic administrations? (EU29)

b. What is the maturity level of IG practices in European public administra-tions? (EU30)

1.1.3.2 Project Objectives and Main Research Stages

Jumping ahead a little, we would like to point out straight away that the objectives of the project’s Phase 1 fully coincide with the objectives of our research activities and for this reason they will be described in detail later in the text.

(13)

Briefly, they can be formulated as follows: understanding the key notions and compo-nents of IG and analysing the best practices based on the comparison of academic research and available specialist practices. This will lay down the groundwork for Phase 2 (EU30) whose chief objective is the development and piloting of the IG maturi-ty assessment model in European public administrations.

Speaking of the research methods, we shall only touch upon the first phase of the pro-ject (as it is implemented to date). This qualitative study provided for carrying out a small sampling exercise focused on IG experts and professionals in the European context with a specific interest in European public administration. These experts were identified on the basis of specific criteria (years of practical experience, valuable pro-jects and realizations in the Information Management domain, etc.). Data collection envisaged the following types of data gathering and processing: document and content analysis; semi-structured interviews with experts to produce the basis for the develop-ment of a questionnaire, which enables a definition and framework to be tested; and development of user cases.

1.2 Research Objectives

The main objectives of this Master’ Thesis (MT) are to:

1. Understand the main dimensions that compose and distinguish the IG as described in the academic studies and professional practices

2. Propose a definition for IG

3. Propose a framework of IG best practices, which can be applied across European public administrations

As it has been mentioned before, the declared objectives coincide with the aims of the EU29 phase of the project; which is explained by our direct involvement in the project activities at the following stages:

1. Document and content analysis

2. Semi-structured interviews with experts: conception, validation and realisation of data collection and analysis

(14)

Table 1: Research objectives: EU29, EU30, MT

Research Objectives EU 29 EU30 MT

1. Understand the main dimensions that compose and distinguish the IG as described in the academic studies and professional practices

x x

2. Propose a definition for IG x x

3. Propose a framework of IG best practices which can be applied across European public administrations

x x

4. Recommend an IG maturity assessment model x

5. Analyse the existing IG in European public administrations context on the bases of proposed IG maturity assessment.

x

6. Test and validate an IG maturity assessment model with operational guidelines

x

1.3 Methodology of the research

Given the exploratory nature of the study we used a qualitative approach to investigate the stated objectives.

The chart below gives a graphical representation of the methodology used in our research (Figure 1, See also in Annex 1). The chart clearly shows the interconnection between the InterPARES research project and our Master’s Thesis work shows the sequence of the research’ major stages.

(15)

Figure 1: Methodology of the research

1.3.1 Document and content analysis

We started with document and content analysis to carry out the state of the art, not only on IG’ definition and its principals, actors, processes but also on relevant IG maturity assessment models, methods and tools.

When selecting literature relevant to IG issues, we were pursuing the primary objective of identifying publications focusing on various aspects of IG in the Public Sector. However, due to the fact that this domain is still largely unexplored, we expanded the circle of reviewed publications to include general literature on IG. Also, we did not limit ourselves exclusively to academic work but rather turned to reports prepared by various research groups and organisations, Policy Papers, legal and norm-setting documents, etc.

(16)

for the selection and subsequent analysis of the bibliography - a pair of spectacles of sorts affording us greater clarity when contemplating the topic. We tried to set time boundaries, considering materials published from 2010 on. We also attempted to identify publications that would give an idea of the status of IG in the Public Sector both in individual European countries and on the European and international levels (See Annex 2).

The analysis of the identified literature was carried out, following the InterPARES Trust project’s objectives. Thus, we were able to outline the circle of issues discussed in the current publications within the IG context. We shall call them the Key IG’ Topics that we defined for our subsequent interviews with experts.

1.3.2 Semi-structured interviews

Based on the Key IG’ Topics we developed an Interview Guide for carrying out the semi-structured interviews within the InterPARES Trust project framework. The questions were divided into 8 main groups and an Introduction (allowing to build the experts’ professional profile); each of the groups was devoted to one or several Key IG’ Topics. Moreover, the questions were formulated in such a way as to identify the expert’s opinion both on specific aspects of IG as a whole and in relation to the overall context of the European public administration. The complete list of questions can be found in the Annex 3. The Interview structure and internal logic included consecutive discussions of the following themes:

- General questions (IG definition, subject dimensions, goals, impacts) - IG principals (IG Frameworks and Models)

- IG Standards (Standards, Norms, regulations, Internal policies) - IG Implementation in Public Sector

- IG Assessment and Maturity models - IG Risk Management

- Best practices and Recommendations - Challenges

Semi-structured interview with each expert would take an hour, on average. The majority of the interviews, given the geographical spread, were conducted via Skype. Each interview was recorded and later on transcribed, with the final text being agreed with the interviewee.

1.3.3 Participants profile

(17)

Sweden, and Switzerland. The experts who have taken part in the interviews can be, without exaggeration, referred to as leaders and active participants of their professional community. Each one of them is a top-class specialist with impressive professional experience (20 to 30 years and more) in information management, archiving and records management, both in the private and the public sectors. A number of the experts have a record of working in international organisations and in the sphere of consulting and research. The majority of the interviewees is engaged in teaching, and participates in the activities of local, national and international professional associations (ICA, DLM Forum Foundation, ARMA, Francophone International Archival Portal, among others). Currently, five of them are the heads of archives (from a municipal archive of a small town to a national archive).

The information received from the experts provided some sort of empirical validation, and at a subsequent stage – the synthesis – allowed us to summarize and correlate the already available data we had developed from the literature and the data developed from the interviews. This made it possible for us to review each of the Key IG’ Topics in a more comprehensive manner based on the professional feedback we had already received and sum up the accumulated information.

The value of the information related to practical experiences of IG Implementation, particularly in the area of Public Administration, that we received in the course of the interviews cannot be overestimated. It turned out that in relation to certain issues « the theory » and « the practice » were, so to say, walking hand in hand, while in other cases they would diverge completely. And then, this would give rise to a new question and offer a chance to look at the topic from a different angle. We would also like to point out that sometimes the vivid, colourful, metaphor-rich speech of the experts itself would make us look at an issue in a new way.

As a result of the work accomplished at this stage we were able to move on to the development of recommendations on the IG definition, expose our understanding and vision of what makes up the main dimensions of the IG, and, based on IG best practices, offer a number of recommendations that can be applied across European public administrations.

2. The Nature of Information Governance and the

Public Sector Context

While gaining in popularity (for instance, according to a research performed by the SerdaLAB in France, IG has become reality for 66% of the surveyed organisations

(18)

(Serda LAB 2016, p.4), IG as a scientific discipline is still work in progress with its con-ceptual framework being elaborated and its dimensions defined. The IG Programmes currently under implementation need thorough assessment and the growing practical experiences require an analysis of lessons learned.

2.1 IG Definition

A part of the Information Governance Initiative Annual Report 2015 -2016 (IGI 2015, p. 15) was devoted to the issue of producing « a common language » for IG which indi-rectly points to the lack of consensus on the issue. Notably, one of the most debated issues is the IG definition itself.

The discussion is indeed a global one. Perhaps, this explains why we did not find any publications attempting to define IG in the European context or in the context of the public sector when we were identifying literature sources using the analysis literature grid we had developed.

In our opinion, the current polemic around the definition of IG follows two paths: one is an internal specialist discussion (whose objective is to find a generally accepted defini-tion), and the other is a search for a definition that could be presented to the « greater world » - primarily, to the business community - to facilitate a more successful promo-tion of the IG concept.

In our view, an example of an IG definition intended rather for « internal » use is the one given in Gartner’s IT Glossary:

« IG is the specification of decision rights and an accountability framework to en-sure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals » (Gartner)

This definition quite clearly shows the desire to give a rather detailed description of what IG « actually does ». The definition given by Hagmann is also addressed mostly to the professional community; it, too, contains the idea of outlining the IG perimeter, and the use of the word « art » - so rare in this context - seems to be a reference to the professional art:

« IG is a the art of trusted interaction between the major stakeholders of an IG

programme (IT, Business, Legal and Compliance, RIM, Security and Privacy). They aspire to joining up in order to minimize information risks to the enterprise while maximizing the value of information assets through building desirable behaviours and enabling cross-functional decision making »

(19)

In terms of the search for an IG definition suitable for promoting IG as a concept that may potentially be adopted as a central concept of information management in organi-sations we clearly discern a trend to produce a definition that is pithy and extremely brief (not to say primitive) worded in a language that is understandable for the business community. As an example we can quote the following definition of IG described as « crystal-clear » by the author himself: « IG is security, control, and organization of in-formation » (Smallwood 2016, p. 13).

In his book addressed specifically to Executives, Smallwood stresses that the numer-ous IG definitions often confuse company executives, while the IG itself begins to « suffer » from their excess and diversity « causing IG to become a foggy and often misunderstood concept » (Smallwood 2016, p. 13).

Probably, this is an extreme point of view, yet it also points to the demand for a univer-sal IG definition that would, on the one hand, correspond to the status of IG as a scien-tific discipline and satisfy the expectations of the professional community and, on the other, sustain the « marketing » qualities of IG.

Otherwise, there is a chance of having two conceptual frameworks running in parallel; one for internal and one for external use.

Virtually every academic paper offers, in this or that way, a certain designation of IG or its characteristic, regardless of whether the author aims to suggest his own definition or not. In this sense, one has an impression that the common understanding is there since the existing numerous and varied formulations are largely similar enough in their meaning. For this reason, Blair, one of the founders of the Information Governance Initiative, suggests that the discussion shall do better focusing rather on the existing similarities than differences (Blair 2012).

Thus, the following framework is suggested for the elaboration of a generally accepted IG definition: whatever the actual wording of the definition may be, it should cover the following four traits of IG:

- Encompassing all types of information,

- IG as an « umbrella » framework, i.e. including the whole range of information man-agement activities,

- Aiming for enhanced information management in a situation of the constantly present dualism between legal risk and business value,

(20)

The definition proposed by Blaire himself includes all of the points above and is being actively promoted and popularised today by the Information Governance Initiative and its corporate partners:

« IG is a comprehensive program of controls, processes, and technologies de-signed to help organizations maximize the value of information assets while min-imizing associated risks and costs »

(Blair 2012)

The definition proposed by Kooper et al. substantially differs from the approaches to be found in the existing literature on the subject:

« Information Governance is the set of activities aimed at establishing a normative foundation to facilitate and stimulate sense-making interactions » (Kooper et al. 2011, p. 197)

Having analysed the essence of the interaction between the processes of governance and information exchange, Kooper et al. propose to look at the IG concept precisely as the governance of « sense making interactions » (and not of « assets ») among actors operating in the information transfer space (Kooper et al. 2011, p. 197).

The presence of diverse approaches to the definition of IG in contemporary literature shows that the search of a « single » IG definition remains a relevant task today.

2.2 IG Dimensions

Following the previously reviewed definitions and other references, IG is often seen as an « umbrella », multidisciplinary, or multidimensional approach, some kind of a comprehensive program – why is that, and what does IG actually include?

Analysing the existing literature, we cannot but notice that various authors use completely different terms to describe what IG is about; they talk of disciplines, interfaces, key fields, [etc.] (which again brings us back to the relevance of forming a common language for IG).

In our study we shall use the term « dimension » (as it is designated in the InterPARES Project EU29). We should point out straight away that there appears to be no open debate on this topic going on today. Authors just outline a certain list of main dimensions that compose and distinguish the IG without engaging in desk debate. Wildhaber et al. distinguish two groups of IG dimensions where each dimension be-longs to the two main interconnected spheres or contexts of IG, namely, Information Technologies and Business (Wildhaber et al 2015 p.177). The diagram below clearly shows the authors’ vision of how IG emerges precisely at the junction of these two spheres.

(21)

Figure 2: Interfaces of IG

(Free adaptation from Wildhaber et al. 2015, p.177)

Looking at the work of other authors, we can see that the main IG dimensions they identify coincide with those suggested by Wildhaber et al. and, in our opinion, can be provisionally grouped according to their belonging to one of these two main spheres. The same applies to the results of the survey conducted by the Information Govern-ance Initiative within its community in 2014. The respondents were asked to specify which of the suggested 10 diverse activities (both risk-and-value-focused) were includ-ed in their concept of IG (Information Governance Initiative 2014, p.13). The results in the top part of the list (by their percentages) also generally correlate with the diagram of Wildhaber et al. The results also allowed the survey’s authors to conclude that de-spite the importance of the « value » side of IG, « the risk side appears to be leading IG today » (Information Governance Initiative 2014 p.14). And although this study was a free survey of an audience (rather than specifically determined representative groups), it probably quite accurately reflected the trend in how the professional community de-termined the integral parts of IG.

Based on the top results of the survey and the lists we found in the publications of Smallwood, Blair, and IBM, we have built a comparative table which, without any claims to be exhaustive, helps identify the more frequently mentioned of the main IG dimensions. It also includes selected corresponding items from the diagram of Wildha-ber et al.

(22)

Table 2: Main IG Dimensions

So, the list of the main IG Dimensions based on the quoted literature sources looks as follows:

1. Records management 2. Privacy and security

3. Business Process Management 4. IT-Management

5. Legal & Compliance 6. Data Governance 7. Risk management 8. Archiving Smallwood 2014 «Key fields» Blair 2011 «Disciplines» Information Gov-ernance Initiative 2014 «Facets» IBM 2014 «Core disci-plines» Wildhaber et al 2015 «Interfaces» Records management Record man-agement and retention Records and Information management (97%) Information Lifecycle Management Records Management Privacy and security

Security and pro-tection (93%); Pri-vacy (81%) Privacy and security Security Business operations Business analytics Business operations and management (70%) Business Process Management IT IT-Governance IT-Management (67%) IT-Governance

Law Compliance (92%) Legal &

Compliance Archiving Archiving and data

storage (81%) Risk Management Risk Management (84%) Data Governance (86%) Data quality management Data Governance

(23)

2.3 Records Management vs. Information Governance

The Table above points to a conclusion that as far as Records and Information Man-agement (RIM) (which is ever more often being referred to by the term « Information Lifecycle Management (ILM) ») is concerned, as one of the IG dimensions, no diverg-ing opinions appear and there is a full consensus.

Therefore, the title of this paragraph might be taken in quotes, since for the profession-al community, in fact, this «opposition » does not exist. While there is a clear under-standing that the fundamental difference lies in the very notion of « governance » on the one hand, and the clearly defined boundaries of the scope of records management on the other.

Thus, Jules et al. state that the IG policy is not limited to "everything that governs the life cycle of information", but it "can go much further" and cover such areas as confi-dentiality, personal data protection, security, and etc. (Jules et al 2013, p.54).

However, from the moment the IG concept was created the professional literature regu-larly tackles the theme of the relationship between IG and RM with the question of the nature and “parameter” of IG in the background.

Thus, for instance, while arguing that many principles and the foundation on which the new IG concept is being built are not new, Juerg Hagmann puts forth the question to what extent this « new paradigm » is actually new and whether it may be just « old wine in new pipes »? At the same time, the author himself, in that very article, comes to the conclusion that RIM or ILM « is just one but important element in a larger IG pro-gram » (Hagmann 2013, p. 230). As a rule, the majority of authors who have written papers under a general tag of « Records Management vs. / or / and Information Governance » come to the same conclusion (Blair 2011 (d), Sherpa Software, Stukaloff 2015).

The discussion and understanding of the differences between IG and RIM transcends the boundaries of a intra-professional academic exercise. The important point is that the understanding of this difference helps organisations plan and implement IG in their actual operations (Blair 2011 (d)) because what we see in practice is not so much the comprehension of these notions as their confusion or substitution.

(24)

documents and data turn to data governance (DG), information governance, and records management strategies. At the same time, « many pundits and providers conflate these terms into a single practice », while « each has a unique role to play ». Being himself a representative of the IT industry1_{, Hammack provides an explanation of}

the difference among these concepts in a language that is readily understood by the business community, an explanation that can be summed up as follows: RM concerns with life-circle; DG « helps companies identify where their data is located, how it can be accessed, under what circumstances »; « IG addresses the management of all information in an organization no matter its type, location or function » (Hammack 2016).

Despite Parapadakis’ call expressed in the title of his paper « Stop Comparing Information Governance to Records Management - Take2! » (Parapadakis 2014), we are of an opinion that comparing and correlating IG as a discipline to RIM, Data Governance, IT Governance, etc. is not unuseful for the understanding of its nature.

2.4 IG Assessment / IG Maturity Models

A key issue inextricably linked to the implementation of IG programs is the IG level as-sessment. Furthermore, the accuracy of assessment at various stages (starting with the initial IG assessment) could well determine the success or failure of the whole pro-gramme, the way it is tailored to tackle specific problems in the organisation, and the prospects for its future development.

So, what are the methods and tools available to the specialist community for carrying out assessment of the so varied IG domains? Currently, there is a number of policies and tools of information and records management available (e.g. those developed by ARMA International); there is also a range of IG frameworks related mainly to infor-mation security issues (while leaving inforinfor-mation management concerns unaddressed) (ISACA 2012), yet none of these can be applied to all dimensions of IG and there is not a single one that would apply specifically to the public sector.

In the opinion of Proenca et al., despite the existing best practices, standards, and oth-er refoth-erences, organisations aspiring to embrace IG best practices, often are unable to determine in a « straightforward manner » neither the extent to which their current

1_{Denny Hammack is CEO of}_FileSolve_{, an industry-leading provider of electronic document} management solutions.

(25)

cesses meet those standards, nor the specific objectives they need to set themselves to make sure that they do (Proenca et al. 2016, p. 15).

« An assessment is a systematic method for obtaining feedback on the performance for an organization and identify issues that affect performance » (Proenca et al. 2016, p.17). The creation and use of maturity models as an assessment tool is a very com-mon practice. They make it possible to measure the maturity level, helping to identify the gap between the current and the desired levels. Their use is relevant for the identi-fication of strengths and weaknesses of the organisational context under review and for the adjustment of aims and objectives.

The maturity levels are frequently distributed between a base reference level (meaning the lack of maturity) and the highest fifth level (a fully mature and self-optimizing pro-cess).

There is a multitude of maturity models; a number of maturity models have been devel-oped to apply to many of the IG dimensions. At the same time, efforts are made to de-velop a comprehensive, « universal » model for the whole scope of IG.

Probably, the best-known and most actively promoted maturity model is the IG Maturity Model (IGMM) developed by ARMA International (ARMA IGMM 2013). The IGMM measures the maturity of organizational culture and processes as they relate to AR-MA's Generally Accepted Recordkeeping Principles (GARP), distinguishing among five levels of maturity. The critics of this model, Smallwood, among others, claim that the model is focused solely on Records and Information Management (RIM) to the exclu-sion of all other IG dimenexclu-sions and it will be more accurate to rename it the IGMM-RIM (Smallwood 2015).

Another Information Governance Maturity Model developed in the context of the E-ARK project2_{, is based on ISO16363}3_{and ISO20652}4_{from the archival domain, and consists}

of three dimensions: Management, Process, and Infrastructure. For each dimension it has a set of five levels. (Proenca et al. 2016, p.20). This model was presented when the semi-structured interviews for the InterPARES Research Project had already been completed, so, unfortunately, we were unable to receive any feedback.

2_{E-ARK Project (European Archival Record and Knowledge Preservation),}

http://www.eark-project.com/

3_{ISO 16363:2012}_{Space data and information transfer systems – Audit and certification of}

trustworthy digital repositories.

4_{ISO 20652:2006 Space data and information transfer systems}_{– Producer-archive interface –}

(26)

2.5 IG in the Public Sector

While the general context of management of the information is determined by digitalisa-tion of informadigitalisa-tion, the IG context in the public sector is shaped by the continuously growing trend of opening up government data (Janssen 2011, p. 446).

This trend has been significantly influenced by the EU Directive 2003/98/EC on the re-use of public sector information, otherwise known as the PSI Directive that encourages EU member states « to make as much public sector information available for re-use as possible » (Wikipedia).

The concept of Open Government Data is actively spreading around the world. Thus, according to the Open Government Partnership5_{that was}_{launched to provide an}

international platform for domestic reformers « committed to making their governments more open, accountable, and responsive to citizens », in 2011, the year of its founding, the Partnership had 8 participating countries and by 2016 they already numbered 69 (Open Government Partnership).

In Europe, the Digital Agenda for Europe launched by the European Commission in 2010 became one of the catalysts for the broad Open Government movement. It is « aimed at boosting Europe’s economy by delivering sustainable economic and social benefits from a digital single market » (European Commission 2014). For the Public Sector it was a signal to make public sector information available on « transparent, effective, non-discriminatory terms » (quoted from Janssen 2011, p. 446).

We can assume that the adoption of the Digital Agenda for Europe has also triggered a growing interest to Е-Government in the academic community: the following couple of years have seen a significant amount of publications and research on this topic. In the opinion of Janssen and Zuiderwijk, all of them are generally focused on the benefits of open data, while quite often this remains unconfirmed by any concrete data. Conducting their own research on the basis of expanded interviews with top-level managers, Janssen and Zuiderwijk identified about sixteen possible negative consequences of opening data (the major ones are violation of privacy and potential « misuse and misinterpretation of data »); they suggest following a realistic approach and stop ignoring the « dark side » of open data (Janssen and Zuiderwijk 2104, p.147).

5_{https://www.opengovpartnership.org}

(27)

We assume that the development of Е-Government and e-services incentivised the promotion of IG in the public sector as well, as the potential of IG with its multidimensional approach to the management of information may correspond to the growing need to deal with big volumes of digital information and metadata.

According to Grimstad and Myrseth, IG may be seen as a « key success factor » for effective and efficient E-Government and plays an important role in the « implementation of an open, transparent, accessible, accountable, user-friendly and service–oriented public sector » (Grimstad and Myrseth 2011).

The healthcare sector where the issues of medical data management and security has ever been one of its specific features has become one of the pioneers of IG implementation and IG policies development (Pagnamenta 2014, с.5).

Currently, IG policies [steadily] find their way into public administrations of all levels and in different sectors. Yet the most vivid example (and, partly, most popular) of IG implementation at the national level is where the transfer from records management to IG has become a political priority contributing to the improvement of public services and is built into the State Policy governing the organisation of public services (Republic of Estonia, Ministry of Economic Affairs and Communications).

3. Theory and Practice of Information Governance in

the European Public Administrations : A Synthesis

In this Chapter we have analysed and summarised the information obtained in the course of the interviews, which allows us to go back to examining the topic of the IG definition and dimensions, outline the main IG principles and standards from the perspectives of leading European experts and information management professionals. This first-hand information gives an opportunity to understand the challenges and constraints that the promotion of IG in public administrations faces and what we can consider to be best practices.

We have actively used quotes from the interviews to convey, to the extent possible, the atmosphere of the lively dialogue and discussion.

3.1 Taking a second look at IG Nature

3.1.1 The Definition of IG

(28)

literature, there was a single mention of only one definition offered by Barclay T. Blair6

as being closest to expressing the essence and purpose of IG.

Otherwise, the general approach could be described using the words of an expert who pointed out that the professional community was still searching for such a definition, while, currently, « there is no unique definition, accepted internationally. We are still choosing the definition of IG and share common points » (Expert 5).

3.1.1.1 Perception of IG

It is evident that IG is perceived as a general or global concept of information or comprehensive and complex process with the wide scope of information concerns. It will be noted that, while talking of the scope of IG, the interviewees used expressions directly referring to its comprehensiveness:

«…it’s a general concept taking care of information in all its aspects » (Expert 2), «…it’s a bundle of rules (ethical rules, legal rules)… all about defining objectives to achieve a framework for the handling of information » (Expert 7),

«…it’s everything you do in order to manage your information according to your concerns » (Expert 3).

Probably, this can be attributed to the « broadness » of the subject dimensions of IG. 3.1.1.2 IG on the Institutional Level

We wanted to lint the theoretical issue of IG definition to practice and find out how IG could be defined from an institutional point of view.

Having synthesised the responses received, we can offer the following definition of IG

(at the organisational or enterprise level):

IG is a « strategic plan » which covers organizational structures, business processes, and available technology in their entirety from the perspective of a producer, a consumer (or from the prosumer’s perspectives).

For an organisation, the processes associated with the implementation of an IG program mean a transformation in a rather broad sense as IG can be seen as something more than a simple transformation of tools, structures, processes, or technologies. In words of one of the experts, «… it’s more like information culture that we have to put together and to work with…it’s more like a cultural way of thinking of

6

_{« IG is a comprehensive program of controls, processes, and technologies designed to help}

organizations maximize the value of information assets while minimizing associated risks and costs » (Blair 2012)

(29)

information » (Expert 1). It affects the culture of the organization.

3.1.2 Main IG Dimensions

During our first interview, while answering the question on subject dimensions, one of the experts gave us a piece of advice for subsequent interviews, pointing out that we should by all means specify the context in which IG was being considered as this would be the determining factor for the answer. We followed this recommendation and added this question to the Interview Guide.

Generally, taking into account the background and professional experience of the experts, we can say that the majority of the interviewees were closer to the public administration and record management context.

The Table below includes the main IG dimensions defined on the basis of the literature analysis and more frequently mentioned by the experts.

Table 3: Main IG Dimensions (from the literature and experts’ perspectives)

№ IG DIMENSIONS EXPERTS LITERATURE

1 Records and Information management ✔ ✔

2 Business Process Management ✔ ✔

3 Risk Management ✔ ✔

4 Privacy and security ✔ ✔

5 IT-Governance ✔ ✔

6 Data Governance ✔ ✔

7 Legal & Compliance − ✔

8 Archiving − ✔

9 Enterprise architecture ✔ −

(30)

and in literature and appear to be good candidates for forming the main circle of IG dimensions.

Naturally, the stage-by-stage comparison of literature sources and the experts’ opinions we have undertaken has no claims of scientific accuracy, yet it does reflect the trend in the perception of this issue.

3.1.3 Records Management vs. Information Governance

In order to be able to more clearly define the nature and the « borderlines » of IG, we have decided not to forgo its comparison, repeatedly undertaken in the literature with a rather well established notion of Records and Information Management (RIM), and included a question on differences (if any) between the two into the Interview Guide. The table below contains the definitions given by the experts who see a clear distinction between IG and RIM and think that the concepts « are not identical and should not be used as synonyms » (Expert 6).

Comparison of the proposed definitions again shows that, in general terms, IG is perceived as a certain concept / strategy, which determines the main principles and policies, while IM is a tool for their implementation.

Table 4: Information Governance vs. Records and Information Management

IG RIM

Strategic / political level based on the formal policy

One of the means to reach that political level, to make IG policy possible

IG defines the principles and the strategy

IM is applied to implement these decisions

General Policy / Decision making level Operational Policy / Operational level

More abstract Deals with the implementation of IG

« What to do and why? » « How to do it? »

We should mention separately the opinion of the expert who pointed out that currently there was no clear explanation of the differences between IG and RIM and that « IG

(31)

(as a product) has almost the same content as RlM, but it’s more attractive, has a « new face » (Expert 5).

This opinion falls quite well within the boundaries of the discussion on the « novelty » of IG we have outlined in the literature. We see it, and a similar opinion expressed in Juerg Hagmann’s « Information governance – beyond the buzz » (Hagmann 2013), rather more as an invitation for further discussion that a statement of a fact.

3.1.4 IG Principles

3.1.4.1 Identification

The theme of certain similarity between IG and RIM re-emerged during the discussion of the main/fundamental principles of IG, but this time not at our initiative. In the opinion of experts in general, the basic IG principles « are the same as the records management principles » (Expert 1). This is explained by the similarity of their organisational function (since both deal with documents (regardless of form: paper or digital) during their lifecycle and by the fact that both deal with management, access, traceability, and integrity of information. However, in addition to such « classic » principles like classification, preservation, access, and reuse, there is « a reasonable need for new principles » (Expert 3).

The interviews analysis allows us to outline a circle of essential principles that could be applicable to IG: transparency and efficiency that were both defined as major, fundamental considerations, and also accessibility, security, risk management, compliance, and accountability.

Yet, in the experts’ opinion, all the above principles « are very theoretical » and do not quite mesh with practice as in actual day-to-day work it would be preferable just « to have a system which makes sure that all decisions taken are well based and understandable » (Expert 7).

3.1.4.2 European public administration context

Within the European public administration context where the main objective is to « manage information with increasing need for transparency and openness » (Expert 8), the fundamental IG principles remain the same due to their complementarity and the need to have a whole set of principles. « No single principle should be promoted pushing other principles to the margins » (Expert 4).

3.1.4.3 IG International context

Within the intentional context, individual approaches may be different, depending on national specificities/context, yet, in the course of time, these context differences can

(32)

Information Governance: Nature and Implementation from the European Public Administrations' perspective well be overcome.

In order to achieve that, IG principles have to be internationally recognized and recommended. In the opinion of an expert having vast experience in international work, these principles play the role of an international umbrella and could be used in different countries and, if necessary, referred to, if one has to defend his/her work (in countries having totalitarian regimes or human rights issues). A special role could be reserved for international professional associations through which these principles could be promoted and advocated.

3.1.4.4 IG Principles and GARP

Taking into account the already available experience of actual application of the ARMA' Generally Accepted Recordkeeping Principles (GARP) in the development of IG policies, we included, when preparing the Interview Guide, a couple of questions answers to which should allow us to make conclusions concerning the expert community's perception of application of the ARMA’ GARP, as well as the extent to which GARP are applicable to IG domains and whether they can be seen as as a universal approach.

3.1.4.4.1 Recognition and practical experience

Based on the interviews’ results, we can state that the GARP are well-known in the professional milieu. All the experts are aware of them, yet, although the majority of the interviewees have no experience applying them in practice, they believe that « that is a kind of things, that was made not to be used, but to be aware of » (Expert 3).

Still, two experts do have practical experience, for instance, in developing a University's IG policy, when all GARP principles were used as the basis, and they follow these principles during the policy implementation as well.

3.1.4.4.2 Advantages and shortcomings

Speaking of the advantages of the GARP, the experts have pointed out that they are « a good and useful reference » (Expert 3) and « fine for information professionals » (Expert 7). These principles are also sufficiently understandable for management. However, information professionals have to make sure that these principles are implemented in the tools, which people in the administration are using. By way of shortcomings, the interviewees have mentioned that the principles are « too complex and theoretical for everyday work » (Expert 2) and « too wordy » (Expert 3).

3.1.4.4.3 Coverage

The main principles mentioned by the experts partially coincide with the GARP and, in the opinion of the majority of the experts, the main GARP are applicable in « our

(33)

domain » (Expert 5, 4). Here we should not forget, though, that the experts’ background has primarily to do with RIM.

But the interviews analysis does show that the GARP are not applicable to all IG domains as it was repeatedly pointed out that certain important aspects of IG were missing from it.

First and foremost, this concerns Risk Management and Corporate Governance aspects. Also, in the experts’ opinion, « Data Management as another discipline, Quality Management, or Enterprise architecture… could be better addressed in the GARP framework » (Expert 6).

Nevertheless, to sum it all up, the GARP can be recommended « as a kind of general starting point » and as a means « to operationalize your own processes in information » (Expert 7, 8).

In part, the GARP can be seen as « a basic and universal approach that can help to put the funding principles in every sector of an administration » (Expert 1).

3.2 IG in the European public administration context

3.2.1 IG goals

Before moving to a more detailed review of various aspects of IG we would like to discuss several issues that would help us get a better understanding of the European public administration context. Jumping ahead, we should point out that the goals identified by the interviewed experts as the ultimate goal of IG in this particular context reflect, in our opinion, what is commonly known as fundamental or European democratic values. So, we can register some commonality of stated goals and priorities for European public administrations of all levels from the European Commission to smaller municipalities.

The main tasks of IG in the public administration correlate with them and can be defined in the following manner:

1. Provide a trusted basis of administration

2. Maintain a balance between protection of personal data and open access 3.2.1.1 Trusted basis of administration

(34)

Information Governance: Nature and Implementation from the European Public Administrations' perspective constitute the goals of IG in the public administration context.

Figure 3: Trusted basis of administration

Firstly, it is transparency, which is equally important and serves the interests of both European politicians and European citizens. That said, the experts repeatedly expressed concern when speaking of the extent to which the efforts of politicians and heads of administrations to be as transparent as possible were actually effective. Because there is every reason to believe that « it’s fashionable to speak about governance transparency. So, everybody uses this key word now » (Expert 2) . Transparency, in turn, is closely linked to other goals. A point was made that it was necessary « that transparency has to be linked to efficiency to manage citizens’ affairs » (Expert 4). Another IG goal is « to give access to the citizen to as much information as possible » (Expert 2).

Another primary goal is to ensure the supremacy of law « to make public administration accountable to all stakeholders » (Expert 7).

3.2.1.2 Personal data and Open access

Throughout their daily activities public administrations store a great volume of infor-mation about citizens, some of it confidential and rather sensitive. Usually, citizens be-lieve (or do not particularly concern themselves) that governmental institutions have all the necessary means to handle personal data. Yet, in today’s reality this is far from being so at all times because of mistakes in the course of implementation or data man-agement (Thompson et al. 2015, p. 316). And, as one of the experts has pointed out, public administrations are trusted with fulfilling a challenging task of high societal signif-icance « to manage information in a better and more transparent way, respecting bal-ance between personal data and open access » (Expert 5).

Transparency Efficiency

Access Supremacy of law

Fundamental European values

(35)

3.2.2 IG stakeholders

The experts were unanimous in that there are no entities with a greater interest in IG than public administrations themselves (from the national Government to municipal level), politicians and executive/political persons sitting on the Boards of institutions. It would seem rational to assume that the « next in line » in terms of vested interests should be citizens and general public or the society as a whole. And those were indeed mentioned, yet if we had had a chance to discuss the extent of citizens’ interest in this, we should have had (which is a bit of a paradox) a rather lively and controversial discussion. Thus, some experts, notably, the ones whose daily work in archives involves servicing citizens, doubted the degree of citizens' interest and involvement, quoting their incessant complaints: « they always want something else! » (Expert 2). It is a curious thing that the Toolbox for Practitioners in Public Administrations prepared by the European Commission describes such behaviour of citizens in the section titled « Growing demands on public services », and the proffered explanation is that the public sector experiences a growing pressure from the private sector where the client servicing standards are, as a rule, higher. Some pressure also comes from the side of the media which « encourage citizens to become more vocal and demanding » (European Commission 2015, p.221).

At the same time, regardless of whether the citizens themselves are aware of it or not, the general opinion is that they will be « the first to receive this positive fruit of dealing with information that provides more information, more transparency and also an administration, which will be more efficient » (Expert 1).

Information governance : nature and implementation from the European public administrations' perspective